Search results

Podcast: Differences between UTM and NGFW In our recent webcast discussion alongside panelists from Fortinet, NSS Labs and General... Firewall Change Management NGFW vs UTM: What you need to know Sam Erdheim 2 min read Sam Erdheim Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 2/19/13 Published Podcast: Differences between UTM and NGFW In our recent webcast discussion alongside panelists from Fortinet, NSS Labs and General Motors, we examined the State of the Firewall in 2013. We received more audience questions during the webcast than the time allowed for, so we’d like to answer these questions through several blog posts in a Q&A format with the panelists. By far the most asked question leading up to and during the webcast was: “What’s the difference between a UTM and a Next-Generation Firewall?” Here’s how our panelists responded: Pankil Vyas, Manager – Network Security Center, GM UTM are usually bundled feature set, NGFW has bundle but licensing can be selective. Depending on the firewall’s function on the network, some UTM features might not be useful, creating performance issues and sometimes firewall conflicts with packet flows. Nimmy Reichenberg, VP of Strategy, AlgoSec Different people give different answers to this question, but if we refer to Gartner who are certainly a credible source, a UTM consolidates many security functions (email security, AV, IPS, URL filtering etc.) and is tailored mostly to SMBs in terms of management capabilities, throughput, support, etc. A NGFW is an enterprise-grade product that at the very least includes IPS capabilities and application awareness (layer 7 control). You can refer to a Gartner paper titled “Defining the Next-Generation Firewall” for more information. Ryan Liles, Director of Testing Services, NSS Labs There really aren’t any differences in a UTM and a NGFW. The technologies used in the two are essentially the same, and they generally have the same capabilities. UTM devices are typically classified with lower throughput ratings than their NGFW counterparts, but for all practical purposes the differences are in marketing. The term NGFW was coined by vendors working with Gartner to create a class of products capable of fitting into an enterprise network that contained all of the features of a UTM. The reason for the name shift is that there was a pervasive line of thought stating a device capable of all of the functions of a UTM/NGFW would never be fast enough to run in an enterprise network. As hardware has progressed, the capability of these devices to hit multi-gigabit speeds began to prove that they were indeed capable of enterprise deployment. Rather than try and fight the sentiment that a UTM could never fit into an enterprise, the NGFW was born. Patrick Bedwell, VP of Products, Fortinet There are several definitions in the market of both terms. Analyst firms IDC and Gartner provided the original definitions of the terms. IDC defined UTM as a security appliance that combines firewall, gateway antivirus, and intrusion detection / intrusion prevention (IDS/IPS). Gartner defined an NGFW as a single device with integrated IPS with deep packet scanning, standard first-generation FW capabilities (NAT, stateful protocol inspection, VPN, etc.) and the ability to identity and control applications running on the network. Since their initial definitions, the terms have been used interchangeably by customers as well as vendors. Depending on with whom you speak, UTM can include NGFW features like application ID and control, and NGFW can include UTM features like gateway antivirus. The terms are often used synonymously, as both represent a single device with consolidated functionality. At Fortinet, for example, we offer customers the ability to deploy a FortiGate device as a pure firewall, an NGFW (enabling features like Application Control or User- and Device-based policy enforcement) or a full UTM (enabling additional features like gateway AV, WAN optimization, and so forth). Customers can deploy as much or as little of the technology on the FortiGate device as they need to match their requirements. If you missed the webcast, you can view it on-demand. We invite you to continue this debate and discussion by commenting here on the blog or via the Twitter hashtag Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Last week our CTO, Professor Avishai Wool, presented a technical webinar on the do’s and don’ts for managing external connectivity to and... Auditing and Compliance 4 tips to manage your external network connections Joanne Godfrey 2 min read Joanne Godfrey Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/10/15 Published Last week our CTO, Professor Avishai Wool, presented a technical webinar on the do’s and don’ts for managing external connectivity to and from your network . We kicked off our webinar by polling the audience (186 people) on how many external permanent connections into their enterprise network they have. 40% have less than 50 external connections 31% have 50-250 external connections 24% have more than 250 external connections 5% wish they knew how many external connections they have! Clearly this is a very relevant issue for many enterprises, and one which can have a profound effect on security. The webinar covered a wide range of best practices for managing the external connectivity lifecycle and I highly recommend that you view the full presentation. But in the meantime, here are a few key issues that you should be mindful of when considering how to manage external connectivity to and from your network: Network Segmentation While there has to be an element of trust when you let an external partner into your network, you must do all you can to protect your organization from attacks through these connections. These include placing your servers in a demilitarized zone (DMZ), segregating them by firewalls, restricting traffic in both directions from the DMZ as well as using additional controls such as web application firewalls, data leak prevention and intrusion detection. Regulatory Compliance Bear in mind that if the data being accessed over the external connection is regulated, both your systems and the related peer’s systems are now subject t. So if the network connection touches credit card data, both sides of the connection are in scope, and outsourcing the processing and management of regulated data to a partner does not let you off the hook. Maintenance Sometimes you will have to make changes to your external connections, either due to planned maintenance work by your IT team or the peer’s team, or as a result of unplanned outages. Dealing with changes that affect external connections is more complicated than internal maintenance, as it will probably require coordinating with people outside your organisation and tweaking existing workflows, while adhering to any contractual or SLA obligations. As part of this process, remember that you’ll need to ensure that your information systems allow your IT teams to recognize external connections and provide access to the relevant technical information in the contract, while supporting the amended workflows. Contracts In most cases there is a contract that governs all aspects of the external connection – including technical and business issues. The technical points will include issues such as IP addresses and ports, technical contact points, SLAs, testing procedures and the physical location of servers. It’s important, therefore, that this contract is adhered to whenever dealing with technical issues related to external connections. These are just a few tips and issues to be aware of. To watch the webinar from Professor Wool in full, check out the recording here . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

The fusion of Cloud and AI is more than just a technological advancement; it’s a paradigm shift. As businesses harness the combined power... Hybrid Cloud Security Management The confluence of cloud and AI: charting a secure path in the age of intelligent innovation Adel Osta Dadan 2 min read Adel Osta Dadan Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/20/23 Published The fusion of Cloud and AI is more than just a technological advancement; it’s a paradigm shift. As businesses harness the combined power of these transformative technologies, the importance of a security-centric approach becomes increasingly evident. This exploration delves deeper into the strategic significance of navigating the Cloud-AI nexus with a focus on security and innovation. Cloud and AI: catalysts for business transformation The cloud provides the foundational infrastructure, while AI infuses intelligence, making systems smarter and more responsive. Together, they’re reshaping industries, driving efficiencies, and creating new business models. However, with these opportunities come challenges. Ensuring robust security in this intertwined environment is not just a technical necessity but a strategic imperative. As AI algorithms process vast datasets in the cloud, businesses must prioritize the protection and integrity of this data to build and maintain trust. Building trust in intelligent systems In the age of AI, data isn’t just processed; it’s interpreted, analyzed, and acted upon. This autonomous decision-making demands a higher level of trust. Ensuring the confidentiality, integrity, and availability of data in the cloud becomes paramount. Beyond just data protection, it’s about ensuring that AI-driven decisions, which can have real-world implications, are made based on secure and untampered data. This trust forms the bedrock of AI’s value proposition in the cloud. Leadership in the Cloud-AI era Modern leaders are not just visionaries; they’re also gatekeepers. They stand at the intersection of innovation and security, ensuring that as their organizations harness AI in the cloud, ethical considerations and security protocols are front and center. This dual role is challenging but essential. As AI-driven applications become integral to business operations, leaders must champion a culture where security and innovation coexist harmoniously. Seamless integration and the role of DevSecOps Developing AI applications in the cloud is a complex endeavor. It requires a seamless integration of development, operations, and crucially, security. Enter DevSecOps. This approach ensures that security is embedded at every stage of the development lifecycle. From training AI models to deploying them in cloud environments, security considerations are integral, ensuring that the innovations are both groundbreaking and grounded in security. Collaborative security for collective intelligence AI’s strength lies in its ability to derive insights from vast datasets. In the interconnected world of the cloud, data flows seamlessly across boundaries, making collaborative security vital. Protecting this collective intelligence requires a unified approach, where security protocols are integrated across platforms, tools, and teams. Future-proofing the Cloud-AI strategy The technological horizon is ever-evolving. The fusion of Cloud and AI is just the beginning, and as businesses look ahead, embedding security into their strategies is non-negotiable. It’s about ensuring that as new technologies emerge and integrate with existing systems, the foundation remains secure and resilient. AlgoSec’s unique value proposition At AlgoSec, we understand the intricacies of the Cloud-AI landscape. Our application-based approach ensures that businesses have complete visibility into their digital assets. With AlgoSec, organizations gain a clear view of their application connectivity, ensuring that security policies align with business processes. As AI integrates deeper into cloud strategies, AlgoSec’s solutions empower businesses to innovate confidently, backed by a robust security framework. Our platform provides holistic, business-level visibility across the entire network infrastructure. With features like AlgoSec AppViz and AppChange, businesses can seamlessly identify network security vulnerabilities, plan migrations, accelerate troubleshooting, and adhere to the highest compliance standards. By taking an application-centric approach to security policy management, AlgoSec bridges the gap between IT teams and application delivery teams, fostering collaboration and ensuring a heightened security posture. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As your organization adopts a hybrid IT infrastructure, there are more ways for hackers to steal your sensitive data. This is why cloud... Cloud Security Cloud Application Security: Threats, Benefits, & Solutions Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/29/23 Published As your organization adopts a hybrid IT infrastructure, there are more ways for hackers to steal your sensitive data. This is why cloud application security is a critical part of data protection. It allows you to secure your cloud-based applications from cyber threats while ensuring your data is safe. This post will walk you through cloud application security, including its importance. We will also discuss the main cloud application security threats and how to mitigate them. What is Cloud Application Security Cloud application security refers to the security measures taken to protect cloud-based assets throughout their development lifecycle. These security measures are a framework of policies, tools, and controls that protect your cloud against cyber threats. Here is a list of security measures that cloud application security may involve: Compliance with industry standards such as CIS benchmarks to prevent data breaches. Identity management and access controls to prevent unauthorized access to your cloud-based apps. Data encryption and tokenization to protect sensitive data. Vulnerability management through vulnerability scanning and penetration testing. Network perimeter security, such as firewalls, to prevent unwanted access. The following are some of the assets that cloud security affects: Third-party cloud providers like Amazon AWS, Microsoft Azure, and Google GCP. Collaborative applications like Slack and Microsoft Teams. Data Servers. Computer Networks. Why is Cloud Application Security Important Cloud application security is becoming more relevant as businesses migrated their data to the cloud in recent years. This is especially true for companies with a multi-cloud environment. These types of environments create a larger attack surface for hackers to exploit. According to IBM , the cost of a data breach in 2022 was $4.35 million. And this represents an increase of 2.6% from the previous year. The report also revealed that it took an average of 287 days to find and stop a data breach in a cloud environment. This time is enough for hackers to steal sensitive data and really damage your assets. Here are more things that can go wrong if organizations don’t pay attention to cloud security: Brand image damage: A security breach may cause a brand’s reputation to suffer and a decline in client confidence. During a breach, your company’s servers may be down for days or weeks. This means customers who paid for your services will not get access in that time. They may end up destroying your brand’s image through word of mouth. Lost consumer trust: Consumer confidence is tough to restore after being lost due to a security breach. Customers could migrate to rivals they believe to be more secure. Organizational disruption: A security breach may cause system failures preventing employees from working. This, in turn, could affect their productivity. You may also have to fire employees tasked with ensuring cloud security. Data loss: You may lose sensitive data, such as client information, resulting in legal penalties. Trade secrets theft may also affect the survival of your organization. Your competitors may steal your only leverage in the industry. Compliance violations: You may be fined for failing to comply with industry regulations such as GDPR. You may also face legal consequences for failing to protect consumer data. What are the Major Cloud Application Security Threats The following is a list of the major cloud application security threats: Misconfigurations: Misconfigurations are errors made when setting up cloud-based applications. They can occur due to human errors, lack of expertise, or mismanagement of cloud resources. Examples include weak passwords, unsecured storage baskets, and unsecured ports. Hackers may use these misconfigurations to access critical data in your public cloud. Insecure data sharing: This is the unauthorized or unintended sharing of sensitive data between users. Insecure data sharing can happen due to a misconfiguration or inappropriate access controls. It can lead to data loss, breaches, and non-compliance with regulatory standards. Limited visibility into network operations: This is the inability to monitor and control your cloud infrastructure and its apps. Limited network visibility prevents you from quickly identifying and responding to cyber threats. Many vulnerabilities may go undetected for a long time. Cybercriminals may exploit these weak points in your network security and gain access to sensitive data. Account hijacking: This is a situation where a hacker gains unauthorized access to a legitimate user’s cloud account. The attackers may use various social engineering tactics to steal login credentials. Examples include phishing attacks, password spraying, and brute-force attacks. Once they access the user’s cloud account, they can steal data or damage assets from within. Employee negligence and inadequately trained personnel: This threat occurs when employees are not adequately trained to recognize, report and prevent cyber risks. It can also happen when employees unintentionally or intentionally engage in risky behavior. For example, they could share login credentials with unauthorized users or set weak passwords. Weak passwords enable attackers to gain entry into your public cloud. Rogue employees can also intentionally give away your sensitive data. Compliance risks: Your organization faces cloud computing risks when non-compliant with industry regulations such as GDPR, PCI-DSS, and HIPAA. Some of these cloud computing risks include data breaches and exposure of sensitive information. This, in turn, may result in fines, legal repercussions, and reputational harm. Data loss: Data loss is a severe security risk for cloud applications. It may happen for several causes, including hardware malfunction, natural calamities, or cyber-attacks. Some of the consequences of data loss may be the loss of customer trust and legal penalties. Outdated security software: SaaS vendors always release updates to address new vulnerabilities and threats. Failing to update your security software on a regular basis may leave your system vulnerable to cyber-attacks. Hackers may exploit the flaws in your outdated SaaS apps to gain access to your cloud. Insecure APIs: APIs are a crucial part of cloud services but can pose a severe security risk if improperly secured. Insecure APIs and other endpoint infrastructure may cause many severe system breaches. They can lead to a complete system takeover by hackers and elevated privileged access. How to Mitigate Cloud Application Security Risks The following is a list of measures to mitigate cloud app security risks: Conduct a thorough risk analysis: This entails identifying possible security risks and assessing their potential effects. You then prioritize correcting the risks depending on their level of severity. By conducting risk analysis on a regular basis, you can keep your cloud environment secure. You’ll quickly understand your security posture and select the right security policies. Implement a firm access control policy: Access control policies ensure that only authorized users gain access to your data. They also outline the level of access to sensitive data based on your employees’ roles. A robust access control policy comprises features such as: Multi-factor authentication Role-based access control Least Privilege Access Strong password policies. Use encryption: Encryption is a crucial security measure that protects sensitive data in transit and at rest. This way, if an attacker intercepts data in transit, it will only be useful if they have a decryption key. Some of the cloud encryption solutions you can implement include: Advanced Encryption Standard (AES) Rivest -Shamir-Addleman (RSA) Transport Layer Security (TSL) Set up data backup and disaster recovery policies: A data backup policy ensures data is completely recovered in case of breaches. You can always recover the lost data from your data backup files. Data backup systems also help reduce the impact of cyberattacks as you will restore normal operations quickly. Disaster recovery policies focus on establishing protocols and procedures to restore critical systems during a major disaster. This way, your data security will stay intact even when disaster strikes. Keep a constant watch over cloud environments: Security issues in cloud settings can only be spotted through continuous monitoring. Cloud security posture management tools like Prevasio can help you monitor your cloud for such issues. With its layer analysis feature, you’ll know the exact area in your cloud and how to fix it. Test and audit cloud security controls regularly: Security controls help you detect and mitigate potential security threats in your cloud. Examples of security controls include firewalls, intrusion detection systems, and database encryption. Auditing these security controls helps to identify gaps they may have. And then you take corrective actions to restore their effectiveness. Regularly evaluating your security controls will reduce the risk of security incidents in your cloud. Implement a security awareness training program: Security awareness training helps educate employees on cloud best practices. When employees learn commonly overlooked security protocols, they reduce the risks of data breaches due to human error. Organize regular assessment tests with your employees to determine their weak points. This way, you’ll reduce chances of hackers gaining access to your cloud through tactics such as phishing and ransomware attacks. Use the security tools and services that cloud service providers offer: Cloud service providers like AWS, Azure, and Google Cloud Platform (GCP) offer security tools and services such as: Web application firewalls (WAF), Runtime application self-protection (RASP), Intrusion detection and prevention systems Identity and access management (IAM) controls You can strengthen the security of your cloud environments by utilizing these tools. However, you should not rely solely on these features to ensure a secure cloud. You also need to implement your own cloud security best practices. Implement an incident response strategy: A security incident response strategy describes the measures to take during a cyber attack. It provides the procedures and protocols to bring the system back to normal in case of a breach. Designing incident response plans helps to reduce downtime. It also minimizes the impact of the damages due to cyber attacks. Apply the Paved Road Security Approach in DevSecOps Processes: DevSecOps environments require security to be integrated into development workflows and tools. This way, cloud security becomes integral to an app development process. The paved road security approach provides a secure baseline that DevSecOps can use for continuous monitoring and automated remediation. Automate your cloud application security practices Using on-premise security practices such as manual compliance checks to mitigate cloud application security threats can be tiring. Your security team may also need help to keep up with the updates as your cloud needs grow. Cloud vendors that can automate all the necessary processes to maintain a secure cloud. They have cloud security tools to help you achieve and maintain compliance with industry standards. You can improve your visibility into your cloud infrastructures by utilizing these solutions. They also spot real-time security challenges and offer remediations. For example, Prevasio’s cloud security solutions monitor cloud environments continually from the cloud. They can spot possible security threats and vulnerabilities using AI and machine learning. What Are Cloud Application Security Solutions? Cloud application security solutions are designed to protect apps and other assets in the cloud. Unlike point devices, cloud application security solutions are deployed from the cloud. This ensures you get a comprehensive cybersecurity approach for your IT infrastructure. These solutions are designed to protect the entire system instead of a single point of vulnerability. This makes managing your cybersecurity strategy easier. Here are some examples of cloud security application solutions: 1. Cloud Security Posture Management (CSPM) : CSPM tools enable monitoring and analysis of cloud settings for security risks and vulnerabilities. They locate incorrect setups, resources that aren’t compliant, and other security concerns that might endanger cloud infrastructures. 2. The Cloud Workload Protection Platform (CWPP) : This cloud application security solution provides real-time protection for workloads in cloud environments . It does this by detecting and mitigating real-time threats regardless of where they are deployed. CWPP solutions offer various security features, such as: Network segmentation File integrity monitoring Vulnerability scanning. Using CWPP products will help you optimize your cloud application security strategy. 3. Cloud Access Security Broker (CASB) : CASB products give users visibility into and control over the data and apps they access in the cloud. These solutions help businesses enforce security guidelines and monitor user behavior in cloud settings. The danger of data loss, leakage, and unauthorized access is lowered in the process. CASB products also help with malware detection. 4. Runtime Application Self Protection (RASP): This solution addresses security issues that may arise while a program is working. It identifies potential threats and vulnerabilities during runtime and thwarts them immediately. Some of the RASP solutions include: Input validation Runtime hardening Dynamic Application Security testing 5. Web Application and API protection (WAAP) : These products are designed to protect your organization’s Web applications and APIs. They monitor outgoing and incoming web apps and API traffic to detect malicious activity. WAAP products can block any unauthorized access attempts. They can also protect against cyber threats like SQL injection and Cross-site scripting. 6. Data Loss Prevention (DLP): DLP products are intended to stop the loss or leaking of private information in cloud settings. These technologies keep track of sensitive data in use and at rest. They can also enforce rules to stop unauthorized people from losing or accessing it. 7. Security Information and Event Management (SIEM) systems : SIEM systems track and analyze real-time security incidents and events in cloud settings. The effect of security breaches is decreased thanks to these solutions. They help firms in detecting and responding to security issues rapidly. Cloud Native Application Protection Platform (CNAPP) The CNAPP, which Prevasio created, raises the bar for cloud security. It combines CSPM, CIEM, IAM, CWPP, and more in one tool. A CNAPP delivers a complete security solution with sophisticated threat detection and mitigation capabilities for packaged workloads, microservices, and cloud-native applications. The CNAPP can find and eliminate security issues in your cloud systems before hackers can exploit them. With its layer analysis feature, you can quickly fix any potential vulnerabilities in your cloud . It pinpoints the exact layer of code where there are errors, saving you time and effort. CNAPP also offers a visual dynamic analysis of your cloud environment . This lets you grasp the state of your cloud security at a glance. In the process, saving you time as you know exactly where to go. CNAPP is also a scalable cloud security solution. The cloud-native design of Prevasio’s CNAPP enables it to expand dynamically and offer real-time protection against new threats. Let Prevasio Solve Your Cloud Application Security Needs Cloud security is paramount to protecting sensitive data and upholding a company’s reputation in the modern digital age. To be agile to the constantly changing security issues in cloud settings, Prevasio’s Cloud Native Application Protection Platform (CNAPP) offers an all-inclusive solution. From layer analysis to visual dynamic analysis, CNAPP gives you the tools you need to keep your cloud secure. You can rely on Prevasio to properly manage your cloud application security needs. Try Prevasio today! Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack.... Cloud Security DNS Tunneling In The SolarWinds Supply Chain Attack Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/23/20 Published The aim of this post is to provide a very high-level illustration of the DNS Tunneling method used in the SolarWinds supply chain attack . An Attacker compromises SolarWinds company and trojanizes a DLL that belongs to its software. Some of the customers receive the malicious DLL as an update for the SolarWinds Orion software. “Corporation XYZ” receives the malicious and digitally signed DLL via update. SolarWinds Orion software loads the malicious DLL as a plugin. Once activated, the DLL reads a local domain name “local.corp-xyz.com” (a fictious name). The malware encrypts the local domain name and adds it to a long domain name. The long domain name is queried with a DNS server (can be tapped by a passive DNS sensor). The recursive DNS server is not authorized to resolve avsvmcloud[.]com, so it forwards the request. An attacker-controlled authoritative DNS server resolves the request with a wildcard A record. The Attacker checks the victim’s name, then adds a CNAME record for the victim’s domain name. The new CNAME record resolves the long domain name into an IP of an HTTP-based C2 server. The malicious DLL downloads and executes the 2nd stage malware (TearDrop, Cobalt Strike Beacon). A Threat Researcher accesses the passive DNS (pDNS) records. One of the long domain names from the pDNS records is decrypted back into “local.corp-xyz.com”. The Researcher deducts that the decrypted local domain name belongs to “Corporation XYZ”. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint... Cloud Security Drovorub’s Ability to Conceal C2 Traffic And Its Implications For Docker Containers Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/15/20 Published As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory about previously undisclosed Russian malware called Drovorub. According to the report, the malware is designed for Linux systems as part of its cyber espionage operations. Drovorub is a Linux malware toolset that consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. The name Drovorub originates from the Russian language. It is a complex word that consists of 2 roots (not the full words): “drov” and “rub” . The “o” in between is used to join both roots together. The root “drov” forms a noun “drova” , which translates to “firewood” , or “wood” . The root “rub” /ˈruːb/ forms a verb “rubit” , which translates to “to fell” , or “to chop” . Hence, the original meaning of this word is indeed a “woodcutter” . What the report omits, however, is that apart from the classic interpretation, there is also slang. In the Russian computer slang, the word “drova” is widely used to denote “drivers” . The word “rubit” also has other meanings in Russian. It may mean to kill, to disable, to switch off. In the Russian slang, “rubit” also means to understand something very well, to be professional in a specific field. It resonates with the English word “sharp” – to be able to cut through the problem. Hence, we have 3 possible interpretations of ‘ Drovorub ‘: someone who chops wood – “дроворуб” someone who disables other kernel-mode drivers – “тот, кто отрубает / рубит драйвера” someone who understands kernel-mode drivers very well – “тот, кто (хорошо) рубит в драйверах” Given that Drovorub does not disable other drivers, the last interpretation could be the intended one. In that case, “Drovorub” could be a code name of the project or even someone’s nickname. Let’s put aside the intricacies of the Russian translations and get a closer look into the report. DISCLAIMER Before we dive into some of the Drovorub analysis aspects, we need to make clear that neither FBI nor NSA has shared any hashes or any samples of Drovorub. Without the samples, it’s impossible to conduct a full reverse engineering analysis of the malware. Netfilter Hiding According to the report, the Drovorub-kernel module registers a Netfilter hook. A network packet filter with a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) is a common malware technique. It allows a backdoor to watch passively for certain magic packets or series of packets, to extract C2 traffic. What is interesting though, is that the driver also hooks the kernel’s nf_register_hook() function. The hook handler will register the original Netfilter hook, then un-register it, then re-register the kernel’s own Netfilter hook. According to the nf_register_hook() function in the Netfilter’s source , if two hooks have the same protocol family (e.g., PF_INET ), and the same hook identifier (e.g., NF_IP_INPUT ), the hook execution sequence is determined by priority. The hook list enumerator breaks at the position of an existing hook with a priority number elem->priority higher than the new hook’s priority number reg->priority : int nf_register_hook ( struct nf_hook_ops * reg) { struct nf_hook_ops * elem; int err; err = mutex_lock_interruptible( & nf_hook_mutex); if (err < 0 ) return err; list_for_each_entry(elem, & nf_hooks[reg -> pf][reg -> hooknum], list) { if (reg -> priority < elem -> priority) break ; } list_add_rcu( & reg -> list, elem -> list.prev); mutex_unlock( & nf_hook_mutex); ... return 0 ; } In that case, the new hook is inserted into the list, so that the higher-priority hook’s PREVIOUS link would point into the newly inserted hook. What happens if the new hook’s priority is also the same, such as NF_IP_PRI_FIRST – the maximum hook priority? In that case, the break condition will not be met, the list iterator list_for_each_entry will slide past the existing hook, and the new hook will be inserted after it as if the new hook’s priority was higher. By re-inserting its Netfilter hook in the hook handler of the nf_register_hook() function, the driver makes sure the Drovorub’s Netfilter hook will beat any other registered hook at the same hook number and with the same (maximum) priority. If the intercepted TCP packet does not belong to the hidden TCP connection, or if it’s destined to or originates from another process, hidden by Drovorub’s kernel-mode driver, the hook will return 5 ( NF_STOP ). Doing so will prevent other hooks from being called to process the same packet. Security Implications For Docker Containers Given that Drovorub toolset targets Linux and contains a port forwarding tool to route network traffic to other hosts on the compromised network, it would not be entirely unreasonable to assume that this toolset was detected in a client’s cloud infrastructure. According to Gartner’s prediction , in just two years, more than 75% of global organizations will be running cloud-native containerized applications in production, up from less than 30% today. Would the Drovorub toolset survive, if the client’s cloud infrastructure was running containerized applications? Would that facilitate the attack or would it disrupt it? Would it make the breach stealthier? To answer these questions, we have tested a different malicious toolset, CloudSnooper, reported earlier this year by Sophos. Just like Drovorub, CloudSnooper’s kernel-mode driver also relies on a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) to extract C2 traffic from the intercepted TCP packets. As seen in the FBI/NSA report, the Volatility framework was used to carve the Drovorub kernel module out of the host, running CentOS. In our little lab experiment, let’s also use CentOS host. To build a new Docker container image, let’s construct the following Dockerfile: FROM scratch ADD centos-7.4.1708-docker.tar.xz / ADD rootkit.ko / CMD [“/bin/bash”] The new image, built from scratch, will have the CentOS 7.4 installed. The kernel-mode rootkit will be added to its root directory. Let’s build an image from our Dockerfile, and call it ‘test’: [root@localhost 1]# docker build . -t test Sending build context to Docker daemon 43.6MB Step 1/4 : FROM scratch —> Step 2/4 : ADD centos-7.4.1708-docker.tar.xz / —> 0c3c322f2e28 Step 3/4 : ADD rootkit.ko / —> 5aaa26212769 Step 4/4 : CMD [“/bin/bash”] —> Running in 8e34940342a2 Removing intermediate container 8e34940342a2 —> 575e3875cdab Successfully built 575e3875cdab Successfully tagged test:latest Next, let’s execute our image interactively (with pseudo-TTY and STDIN ): docker run -it test The executed image will be waiting for our commands: [root@8921e4c7d45e /]# Next, let’s try to load the malicious kernel module: [root@8921e4c7d45e /]# insmod rootkit.ko The output of this command is: insmod: ERROR: could not insert module rootkit.ko: Operation not permitted The reason why it failed is that by default, Docker containers are ‘unprivileged’. Loading a kernel module from a docker container requires a special privilege that allows it doing so. Let’s repeat our experiment. This time, let’s execute our image either in a fully privileged mode or by enabling only one capability – a capability to load and unload kernel modules ( SYS_MODULE ). docker run -it –privileged test or docker run -it –cap-add SYS_MODULE test Let’s load our driver again: [root@547451b8bf87 /]# insmod rootkit.ko This time, the command is executed silently. Running lsmod command allows us to enlist the driver and to prove it was loaded just fine. A little magic here is to quit the docker container and then delete its image: docker rmi -f test Next, let’s execute lsmod again, only this time on the host. The output produced by lsmod will confirm the rootkit module is loaded on the host even after the container image is fully unloaded from memory and deleted! Let’s see what ports are open on the host: [root@localhost 1]# netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1044/sshd With the SSH server running on port 22 , let’s send a C2 ‘ping’ command to the rootkit over port 22 : [root@localhost 1]# python client.py 127.0.0.1 22 8080 rrootkit-negotiation: hello The ‘hello’ response from the rootkit proves it’s fully operational. The Netfilter hook detects a command concealed in a TCP packet transferred over port 22 , even though the host runs SSH server on port 22 . How was it possible that a rootkit loaded from a docker container ended up loaded on the host? The answer is simple: a docker container is not a virtual machine. Despite the namespace and ‘control groups’ isolation, it still relies on the same kernel as the host. Therefore, a kernel-mode rootkit loaded from inside a Docker container instantly compromises the host, thus allowing the attackers to compromise other containers that reside on the same host. It is true that by default, a Docker container is ‘unprivileged’ and hence, may not load kernel-mode drivers. However, if a host is compromised, or if a trojanized container image detects the presence of the SYS_MODULE capability (as required by many legitimate Docker containers), loading a kernel-mode rootkit on a host from inside a container becomes a trivial task. Detecting the SYS_MODULE capability ( cap_sys_module ) from inside the container: [root@80402f9c2e4c /]# capsh –print Current: = cap_chown, … cap_sys_module, … Conclusion This post is drawing a parallel between the recently reported Drovorub rootkit and CloudSnooper, a rootkit reported earlier this year. Allegedly built by different teams, both of these Linux rootkits have one mechanism in common: a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) and a toolset that enables tunneling of the traffic to other hosts within the same compromised cloud infrastructure. We are still hunting for the hashes and samples of Drovorub. Unfortunately, the YARA rules published by FBI/NSA cause False Positives. For example, the “Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client binaries based on unique strings and strings indicating statically linked libraries” enlists the following strings: “Poco” “Json” “OpenSSL” “clientid” “—–BEGIN” “—–END” “tunnel” The string “Poco” comes from the POCO C++ Libraries that are used for over 15 years. It is w-a-a-a-a-y too generic, even in combination with other generic strings. As a result, all these strings, along with the ELF header and a file size between 1MB and 10MB, produce a false hit on legitimate ARM libraries, such as a library used for GPS navigation on Android devices: f058ebb581f22882290b27725df94bb302b89504 56c36bfd4bbb1e3084e8e87657f02dbc4ba87755 Nevertheless, based on the information available today, our interest is naturally drawn to the security implications of these Linux rootkits for the Docker containers. Regardless of what security mechanisms may have been compromised, Docker containers contribute an additional attack surface, another opportunity for the attackers to compromise the hosts and other containers within the same organization. The scenario outlined in this post is purely hypothetical. There is no evidence that supports that Drovorub may have affected any containers. However, an increase in volume and sophistication of attacks against Linux-based cloud-native production environments, coupled with the increased proliferation of containers, suggests that such a scenario may, in fact, be plausible. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

A recent news article from Bleeping Computer called out an incident involving Japanese game developer Ateam, in which a misconfiguration... Cyber Attacks & Incident Response Mitigating cloud security risks through comprehensive automated solutions Malynnda Littky-Porath 2 min read Malynnda Littky-Porath Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 1/8/24 Published A recent news article from Bleeping Computer called out an incident involving Japanese game developer Ateam, in which a misconfiguration in Google Drive led to the potential exposure of sensitive information for nearly one million individuals over a period of six years and eight months. Such incidents highlight the critical importance of securing cloud services to prevent data breaches. This blog post explores how organizations can avoid cloud security risks and ensuring the safety of sensitive information. What caused the Ateam Google Drive misconfiguration? Ateam, a renowned mobile game and content creator, discovered on November 21, 2023, that it had mistakenly set a Google Drive cloud storage instance to “Anyone on the internet with the link can view” since March 2017. This configuration error exposed 1,369 files containing personal information, including full names, email addresses, phone numbers, customer management numbers, and device identification numbers, for approximately 935,779 individuals. Avoiding cloud security risks by using automation To prevent such incidents and enhance cloud security, organizations can leverage tools such as AlgoSec, a comprehensive solution that addresses potential vulnerabilities and misconfigurations. It is important to look for cloud security partners who offer the following key features: Automated configuration checks: AlgoSec conducts automated checks on cloud configurations to identify and rectify any insecure settings. This ensures that sensitive data remains protected and inaccessible to unauthorized individuals. Policy compliance management: AlgoSec assists organizations in adhering to industry regulations and internal security policies by continuously monitoring cloud configurations. This proactive approach reduces the likelihood of accidental exposure of sensitive information. Risk assessment and mitigation: AlgoSec provides real-time risk assessments, allowing organizations to promptly identify and mitigate potential security risks. This proactive stance helps in preventing data breaches and maintaining the integrity of cloud services. Incident response capabilities: In the event of a misconfiguration or security incident, AlgoSec offers robust incident response capabilities. This includes rapid identification, containment, and resolution of security issues to minimize the impact on the organization. The Ateam incident serves as a stark reminder of the importance of securing cloud services to safeguard sensitive data. AlgoSec emerges as a valuable ally in this endeavor, offering automated configuration checks, policy compliance management, risk assessment, and incident response capabilities. By incorporating AlgoSec into their security strategy, organizations can significantly reduce the risk of cloud security incidents and ensure the confidentiality of their data. Request a brief demo to learn more about advanced cloud protection. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the... Cyber Attacks & Incident Response Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/20/23 Published Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the social media platform X in January 2023, when it was still Twitter. Hackers exploited an API vulnerability that had been exposed since June the previous year. This gave them access to the platform’s security system and allowed them to leak sensitive information on millions of users. This breach occurred because the organization’s firewalls were not configured to examine API traffic with enough scrutiny. This failure in firewall protection led to the leak of more than 200 million names, email addresses, and usernames, along with other information, putting victims at risk of identity theft . Firewalls are your organization’s first line of defense against malware and data breaches. They inspect all traffic traveling into and out of your network, looking for signs of cyber attacks and blocking malicious activity when they find it. This makes them an important part of every organization’s cybersecurity strategy. Effective firewall management and configuration is vital for preventing cybercrime. Read on to find out how you can protect your organization from attacks that exploit firewall vulnerabilities you may not be aware of. Understanding the 4 Types of Firewalls The first thing every executive and IT leader should know is that there are four basic types of firewalls . Each category offers a different level of protection, with simpler solutions costing less than more advanced ones. Most organizations need to use some combination of these four firewall types to protect sensitive data effectively. Keep in mind that buying more advanced firewalls is not always the answer. Optimal firewall management usually means deploying the right type of firewall for its particular use case. Ideally, these should be implemented alongside multi-layered network security solutions that include network detection and response, endpoint security, and security information and event management (SIEM) technology. 1. Packet Filtering Firewalls These are the oldest and most basic types of firewalls. They operate at the network layer, checking individual data packets for their source IP address and destination IP. They also verify the connection protocol, as well as the source port and destination port against predefined rules. The firewall drops packets that fail to meet these standards, protecting the network from potentially harmful threats. Packet filtering firewalls are among the fastest and cheapest types of firewalls available. Since they can not inspect the contents of data packets, they offer minimal functionality. They also can’t keep track of established connections or enforce rules that rely on knowledge of network connection states. This is why they are considered stateless firewalls. 2. Stateful Inspection Firewalls These firewalls also perform packet inspection, but they ingest more information about the traffic they inspect and compare that information against a list of established connections and network states. Stateful inspection firewalls work by creating a table that contains the IP and port data for traffic sources and destinations, and dynamically check whether data packets are part of a verified active connection. This approach allows stateful inspection firewalls to deny data packets that do not belong to a verified connection. However, the process of checking data packets against the state table consumes system resources and slows down traffic. This makes stateful inspection firewalls vulnerable to Distributed Denial-of-Service (DDoS) attacks. 3. Application Layer Gateways These firewalls operate at the application layer, inspecting and managing traffic based on specific applications or protocols, providing deep packet inspection and content filtering. They are also known as proxy firewalls because they can be implemented at the application layer through a proxy device. In practice, this means that an external client trying to access your system has to send a request to the proxy firewall first. The firewall verifies the authenticity of the request and forwards it to an internal server. They can also work the other way around, providing internal users with access to external resources (like public web pages) without exposing the identity or location of the internal device used. 4. Next-Generation Firewalls (NGFW) Next-generation firewalls combine traditional firewall functions with advanced features such as intrusion prevention, antivirus, and application awareness . They contextualize data packet flows and enrich them with additional data, providing comprehensive security against a wide range of threats. Instead of relying exclusively on IP addresses and port information, NGFWs can perform identity-based monitoring of individual users, applications, and assets. For example, a properly configured NGFW can follow a single user’s network traffic across multiple devices and operating systems, providing an activity timeline even if the user switches between a desktop computer running Microsoft Windows and an Amazon AWS instance controlling routers and iOT devices. How Do These Firewalls Function? Each type of firewall has a unique set of functions that serve to improve the organization’s security posture and prevent hackers from carrying out malicious cyber attacks. Optimizing your firewall fleet means deploying the right type of solution for each particular use case throughout your network. Some of the most valuable functions that firewalls perform include: Traffic Control They regulate incoming and outgoing traffic, ensuring that only legitimate and authorized data flows through the network. This is especially helpful in cases where large volumes of automated traffic can slow down routine operations and disrupt operations. For example, many modern firewalls include rules designed to deny bot traffic. Some non-human traffic is harmless, like the search engine crawlers that determine your website’s ranking against certain keyword searches. However, the vast majority of bot traffic is either unnecessary or malicious. Firewalls can help you keep your infrastructure costs down by filtering out connection attempts from automated sources you don’t trust. Protection Against Cyber Threats Firewalls act as a shield against various cyber threats, including phishing attacks, malware and ransomware attacks . Since they are your first line of defense, any malicious activity that targets your organization will have to bypass your firewall first. Hackers know this, which is why they spend a great deal of time and effort finding ways to bypass firewall protection. They can do this by exploiting technical vulnerabilities in your firewall devices or by hiding their activities in legitimate traffic. For example, many firewalls do not inspect authenticated connections from trusted users. If cybercriminals learn your login credentials and use your authenticated account to conduct an attack, your firewalls may not notice the malicious activity at all. Network Segmentation By defining access rules, firewalls can segment networks into zones with varying levels of trust, limiting lateral movement for attackers. This effectively isolates cybercriminals into the zone they originally infiltrated, and increases the chance they make a mistake and reveal themselves trying to access additional assets throughout your network. Network segmentation is an important aspect of the Zero Trust framework. Firewalls can help reinforce the Zero Trust approach by inspecting traffic traveling between internal networks and dropping connections that fail to authenticate themselves. Security Policy Enforcement Firewalls enforce security policies, ensuring that organizations comply with their security standards and regulatory requirements. Security frameworks like NIST , ISO 27001/27002 , and CIS specify policies and controls that organizations need to implement in order to achieve compliance. Many of these frameworks stipulate firewall controls and features that require organizations to invest in optimizing their deployments. They also include foundational and organizational controls where firewalls play a supporting role, contributing to a stronger multi-layered cybersecurity strategy. Intrusion Detection and Prevention Advanced firewalls include intrusion detection and prevention capabilities, which can identify and block suspicious activities in real-time. This allows security teams to automate their response to some of the high-volume security events that would otherwise drag down performance . Automatically detecting and blocking known exploits frees IT staff to spend more time on high-impact strategic work that can boost the organization’s security posture. Logging and Reporting Firewalls generate logs and reports that assist in security analysis, incident response, and compliance reporting. These logs provide in-depth data on who accessed the organization’s IT assets, and when the connection occurred. They enable security teams to conduct forensic investigations into security incidents, driving security performance and generating valuable insights into the organization’s real-world security risk profile. Organizations that want to implement SIEM technology must also connect their firewall devices to the platform and configure them to send log data to their SIEM for centralized analysis. This gives security teams visibility into the entire organization’s attack surface and enables them to adopt a Zero Trust approach to managing log traffic. Common Vulnerabilities & Weaknesses Firewalls Share Firewalls are crucial for network security, but they are not immune to vulnerabilities. Common weaknesses most firewall solutions share include: Zero-day vulnerabilities These are vulnerabilities in firewall software or hardware that are unknown to the vendor or the general public. Attackers can exploit them before patches or updates are available, making zero-day attacks highly effective. Highly advanced NGFW solutions can protect against zero-day attacks by inspecting behavioral data and using AI-enriched analysis to detect unknown threats. Backdoors Backdoors are secret entry points left by developers or attackers within a firewall’s code. These hidden access points can be exploited to bypass security measures. Security teams must continuously verify their firewall configurations to identify the signs of backdoor attacks. Robust and effective change management solutions help prevent backdoors from remaining hidden. Header manipulation Attackers may manipulate packet headers to trick firewalls into allowing unauthorized traffic or obscuring their malicious intent. There are multiple ways to manipulate the “Host” header in HTTP traffic to execute attacks. Security teams need to configure their firewalls and servers to validate incoming HTTP traffic and limit exposure to header vulnerabilities. How Cyber Criminals Exploit These Vulnerabilities Unauthorized Access Exploiting a vulnerability can allow cybercriminals to penetrate a network firewall, gaining access to sensitive data, proprietary information, or critical systems. Once hackers gain unauthorized access to a network asset, only a well-segmented network operating on Zero Trust principles can reliably force them to reveal themselves. Otherwise, they will probably remain hidden until they launch an active attack. Data Breaches Once inside your network, attackers may exfiltrate sensitive information, including customer data, intellectual property, and financial records (like credit cards), leading to data breaches. These complex security incidents can lead to major business disruptions and reputational damage, as well as enormous recovery costs. Malware Distribution Attackers may use compromised firewalls to distribute malware, ransomware, or malicious payloads to other devices within the network. This type of attack may focus on exploiting your systems and network assets, or it may target networks adjacent to your own – like your third-party vendors, affiliate partners, or customers. Denial of Service (DDoS) Exploited firewalls can be used in DDoS attacks, potentially disrupting network services and rendering them unavailable to users. This leads to expensive downtime and reputational damage. Some hackers try to extort their victims directly, demanding organizations pay money to stop the attack. 6 Techniques Used to Bypass Firewalls 1. Malware and Payload Delivery Attackers use malicious software and payloads to exploit firewall vulnerabilities, allowing them to infiltrate networks or systems undetected. This often occurs due to unpatched security vulnerabilities in popular firewall operating systems. For example, in June 2023 Fortinet addressed a critical-severity FortiOS vulnerability with a security patch. One month later in July, there were still 300,000 Fortinet firewalls still using the unpatched operating system. 2. Phishing Attacks Phishing involves tricking individuals into divulging sensitive information or executing malicious actions. Attackers use deceptive emails or websites that may bypass firewall filters. If they gain access to privileged user account credentials, they may be able to bypass firewall policies entirely, or even reconfigure firewalls themselves. 3. Social Engineering Tactics Cybercriminals manipulate human psychology to deceive individuals into disclosing confidential information, effectively bypassing technical security measures like firewalls. This is typically done through social media, email, or by telephone. Attackers may impersonate authority figures both inside and outside the organization and demand access to sensitive assets without going through the appropriate security checks. 4. Deep Packet Inspection Evasion Attackers employ techniques to disguise malicious traffic, making it appear benign to firewalls using deep packet inspection, allowing it to pass through undetected. Some open-source tools like SymTCP can achieve this by running symbolic executions on the server’s TCP implementation, scanning the resulting execution paths, and sending malicious data through any handling discrepancies identified. 5. VPNs and Remote Access Attackers may use Virtual Private Networks (VPNs) and remote access methods to circumvent firewall restrictions and gain unauthorized entry into networks. This is particularly easy in cases where simple geo restrictions block traffic from IP addresses associated with certain countries or regions. Attackers may also use more sophisticated versions of this technique to access exposed services that don’t require authentication, like certain containerized servers . 6. Intrusion Prevention Systems (IPS) Bypass Sophisticated attackers attempt to evade IPS systems by crafting traffic patterns or attacks that go undetected, enabling them to compromise network security. For example, they may use technologies to decode remote access tool executable files hidden inside certificate files, allowing them to reassemble the malicious file after it passes through the IPS. Protecting Against Firewall Vulnerabilities Multi-factor Authentication (MFA) MFA adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a one-time code sent to their mobile device, before they gain access. This prevents attackers from accessing sensitive network assets immediately after stealing privileged login credentials. Knowing an account holder’s password and username is not enough. Two-factor Authentication (2FA) 2FA is a subset of MFA that involves using two authentication factors, typically something the user knows (password) and something the user has (a mobile device or security token), to verify identity and enhance firewall security. Other versions use biometrics like fingerprint scanning to authenticate the user. Intrusion Prevention Systems (IPS) IPS solutions work alongside firewalls to actively monitor network traffic for suspicious activity and known attack patterns, helping to block or mitigate threats before they can breach the network. These systems significantly reduce the amount of manual effort that goes into detecting and blocking known malicious attack techniques. Web Application Firewalls (WAF) WAFs are specialized firewalls designed to protect web applications from a wide range of threats, including SQL injection, cross-site scripting (XSS), and other web-based attacks. Since these firewalls focus specifically on HTTP traffic, they are a type of application level gateway designed specifically for web applications that interact with users on the public internet. Antivirus Software and Anti-malware Tools Deploying up-to-date antivirus and anti-malware software on endpoints, servers, and Wi-Fi network routers helps detect and remove malicious software, reducing the risk of firewall compromise. In order to work effectively, these tools must be configured to detect and mitigate the latest threats alongside the organization’s other security tools and firewalls. Automated solutions can help terminate unauthorized processes before attackers get a chance to deliver malicious payloads. Regular Updates and Patch Management Keeping firewalls and all associated software up-to-date with the latest security patches and firmware updates is essential for addressing known vulnerabilities and ensuring optimal security. Security teams should know when configuration changes are taking place, and be equipped to respond quickly when unauthorized changes take place. Implementing a comprehensive visibility and change management platform like AlgoSec makes this possible. With AlgoSec, you can simulate the effects of network configuration changes and proactively defend against sophisticated threats before attackers have a chance to strike. Monitoring Network Traffic for Anomalies Continuous monitoring of network traffic helps identify unusual patterns or behaviors that may indicate a security incident. Anomalies can trigger alerts for further investigation and response. Network detection and response solutions grant visibility into network activities that would otherwise go unnoticed, potentially giving security personnel early warning when unannounced changes or suspicious behaviors take place. Streamline Your Firewall Security With AlgoSec Organizations continue to face increasingly sophisticated cyber threats, including attacks that capitalize on misconfigured firewalls – or manipulate firewall configurations directly. Firewall management software has become a valuable tool for maintaining a robust network security posture and ensuring regulatory compliance. AlgoSec plays a vital role enhancing firewall security by automating policy analysis, optimizing rule sets, streamlining change management, and providing real-time monitoring and visibility. Find out how to make the most of your firewall deployment and detect unauthorized changes to firewall configurations with our help. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

A Decoy Network The strategy behind Sun Tzu’s ‘Art of War’ has been used by the military, sports teams, and pretty much anyone looking... Cyber Attacks & Incident Response How to Use Decoy Deception for Network Protection Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/30/15 Published A Decoy Network The strategy behind Sun Tzu’s ‘Art of War’ has been used by the military, sports teams, and pretty much anyone looking for a strategic edge against their foes. As Sun Tzu says “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” Sun Tzu understood that to gain an advantage on your opponent you need to catch him off guard, make him believe you’re something you’re not, so that you can leverage this opportunity to your advantage. As security practitioners we should all supplement our security practices with this timed and tested decoy technique against cyber attackers. There are a few technologies that can be used as decoys, and two of the most common are honeypots and false decoy accounts: A honeypot is a specially designed piece of software that mimics another system, normally with vulnerable services that aren’t really vulnerable, in order to attract the attention of an attacker as they’re sneaking through your network. Decoy accounts are created in order to check if someone is attempting to log into them. When an attempt is made security experts can then investigate the attackers’ techniques and strategies, without being detected or any data being compromised. Design the right decoy But before actually setting up either of these two techniques you first need to think about how to design the decoy in a way that will be believable. These decoy systems shouldn’t be overtly obvious, yet they need to entice the hacker so that he can’t pass up the opportunity. So think like an attacker: What would an attacker do first when gaining access to a network? How would he exploit a system? Will they install malware? Will they perform a recon scan looking for pivot points? Figuring out what your opponent will do once they’ve gained access to your network is the key to building attractive decoy systems and effective preventive measures. Place it in plain sight You also need to figure out the right place for your decoys. You want to install decoys into your network around areas of high value, as well as systems that are not properly monitored with other security technologies. They should be hiding in plain sight and mimicking the systems or accounts that they’re living next to. This means running similar services, have hostnames that fall in line with your syntax, running on the same operating systems (one exception is decoys running a few exploitable services to entice the attacker). The goes the same for accounts that you’ve seeded in applications or authentication services. We decided that in addition to family photos, it was time to focus on couples photoshoot ! Last fall we aired our popular City Photoshoot Tips & Ideas and as a result, gave you TONS of ideas and inspiration. And last but not least, you need to find a way to discretely publicize your applications or accounts in order to attract the attacker. Then, when an attacker tries to log in to the decoy applications or accounts (which should be disabled) you should immediately and automatically start tracking and investigating the attack path. Watch and learn Another important point to make is that once a breach attempt has been made you shouldn’t immediately cut off the account. You might want to watch the hacker for a period of time to see what else that he might access on the network. Many times tracking their actions over a period of time will give you a lot more actionable information that will ultimately help you create a far more secure perimeter. Think of it as a plainclothes police officer following a known criminal. Many times the police will follow a criminal to see if he will lead them toward more information about their activities before making an arrest. Use the same techniques. If an attacker trips over a few of carefully laid traps, it’s possible that he’s just starting to poke around your network. It’s up to you, while you have the upper hand, to determine if you start remediation or continue to guide them under your watchful eye. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against... Cloud Security What is CIS Compliance? (and How to Apply CIS Benchmarks) Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/20/23 Published CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against various threats by complying with its benchmark standards. This post will walk you through CIS benchmarks, their development, and the kinds of systems they apply to. We will also discuss the significance of CIS compliance and how Prevasio may help you achieve it. What are CIS benchmarks? CIS stands for Center for Internet Security . It’s a nonprofit organization that aims to improve companies’ cybersecurity readiness and response. Founded in 2000, the CIS comprises cybersecurity experts from diverse backgrounds. They have the common goal of enhancing cybersecurity resilience and reducing security threats. CIS compliance means adhering to the Center for Internet Security (CIS) benchmarks. CIS benchmarks are best practices and guidelines to help you build a robust cloud security strategy. These CIS benchmarks give a detailed road map for protecting a business’s IT infrastructure. They also encompass various platforms, such as web servers or cloud bases. The CIS benchmarks are frequently called industry standards. They are normally in line with other regulatory organizations, such as ISO, NIST, and HIPAA. Many firms adhere to CIS benchmarks to ensure they follow industry standards. They also do this to show their dedication to cybersecurity to clients and stakeholders. The CIS benchmarks and CIS controls are always tested through on-premises analysis by leading security firms. This ensures that CIS releases standards that are effective at mitigating cyber risks. How are the CIS benchmarks developed? A community of cybersecurity professionals around the world cooperatively develops CIS benchmarks. They exchange their knowledge, viewpoints, and experiences on a platform provided by CIS. The end result is consensus-based best practices that will protect various IT systems. The CIS benchmark development process typically involves the following steps: 1. Identify the technology: The first step is to identify the system or technology that has to be protected. This encompasses a range of applications. It can be an operating system, database, web server, or cloud environment. 2. Define the scope: The following stage is to specify the benchmark’s parameters. It involves defining what must be implemented for the technology to be successfully protected. They may include precise setups, guidelines, and safeguards. 3. Develop recommendations: Next, a community of cybersecurity experts will identify ideas for safeguarding the technology. These ideas are usually based on current best practices, norms, and guidelines. They may include the minimum security requirements and measures to be taken. 4. Expert consensus review: Thereafter, a broader group of experts and stakeholders assess the ideas. They will offer comments and suggestions for improvement. This level aims to achieve consensus on the appropriate technical safeguards. 5. Pilot testing: The benchmark is then tested in a real-world setting. At this point, CIS aims to determine its efficacy and spot any problems that need fixing. 6. Publication and maintenance: The CIS will publish the benchmark once it has been improved and verified. The benchmark will constantly be evaluated and updated to keep it current and useful for safeguarding IT systems. What are the CIS benchmark levels? CIS benchmarks are divided into three levels based on the complexity of an IT system. It’s up to you to choose the level you need based on the complexity of your IT environment. Each level of the benchmarks offers better security recommendations than the previous level. The following are the distinct categories that benchmarks are divided into: Level 1 This is the most basic level of CIS standards. It requires organizations to set basic security measures to reduce cyber threats. Some CIS guidelines at this level include password rules, system hardening, and risk management. The level 1 CIS benchmarks are ideal for small businesses with basic IT systems. Level 2 This is the intermediate level of the CIS benchmarks. It is suitable for small to medium businesses that have complex IT systems. The Level 2 CIS standards offer greater security recommendations to your cloud platform. It has guidelines for network segmentation, authentication, user permissions, logging, and monitoring. At this level, you’ll know where to focus your remediation efforts if you spot a vulnerability in your system. Level 2 also covers data protection topics like disaster recovery plans and encryption. Level 3 Level 3 is the most advanced level of the CIS benchmarks. It offers the highest security recommendations compared to the other two. Level 3 also offers the Security Technical Implementation Guide (STIG) profiles for companies. STIG are configuration guidelines developed by the Defense Information Systems Agency. These security standards help you meet US government requirements. This level is ideal for large organizations with the most sensitive and vital data. These are companies that must protect their IT systems from complex security threats. It offers guidelines for real-time security analytics, safe cloud environment setups, and enhanced threat detection. What types of systems do CIS benchmarks apply to? The CIS benchmarks are applicable to many IT systems used in a cloud environment. The following are examples of systems that CIS benchmarks can apply to: Operating systems: CIS benchmarks offer standard secure configurations for common operating systems, including Amazon Linux, Windows Servers, macOS, and Unix. They address network security, system hardening, and managing users and accounts. Cloud infrastructure: CIS benchmarks can help protect various cloud infrastructures, including public, private, and multi-cloud. They recommend guidelines that safeguard cloud systems by various cloud service providers. For example, network security, access restrictions, and data protection. The benchmarks cover cloud systems such as Amazon Web Services (AWS), Microsoft Azure, IBM, Oracle, and Google Cloud Platform. Server software: CIS benchmarks provide secure configuration baselines for various servers, including databases (SQL), DNS, Web, and authentication servers. The baselines cover system hardening, patch management, and access restrictions. Desktop software: Desktop apps such as music players, productivity programs, and web browsers can be weak points in your IT system. CIS benchmarks offer guidelines to help you protect your desktop software from vulnerabilities. They may include patch management, user and account management, and program setup. Mobile devices: The CIS benchmarks recommend safeguarding endpoints such as tablets and mobile devices. The standards include measures for data protection, account administration, and device configuration. Network devices: CIS benchmarks also involve network hardware, including switches, routers, and firewalls. Some standards for network devices include access restrictions, network segmentation, logging, and monitoring. Print devices: CIS benchmarks also cover print devices like printers and scanners. The CIS benchmark baselines include access restrictions, data protection, and firmware upgrades. Why is CIS compliance important? CIS compliance helps you maintain secure IT systems. It does this by helping you adhere to globally recognized cybersecurity standards. CIS benchmarks cover various IT systems and product categories, such as cloud infrastructures. So by ensuring CIS benchmark compliance, you reduce the risk of cyber threats to your IT systems. Achieving CIS compliance has several benefits: 1. Your business will meet internationally accepted cybersecurity standards . The CIS standards are developed through a consensus review process. This means they are founded on the most recent threat intelligence and best practices. So you can rely on the standards to build a solid foundation for securing your IT infrastructure. 2. It can help you meet regulatory compliance requirements for other important cybersecurity frameworks . CIS standards can help you prove that you comply with other industry regulations. This is especially true for companies that handle sensitive data or work in regulated sectors. CIS compliance is closely related to other regulatory compliances such as NIST, HIPAA, and PCI DSS. By implementing the CIS standards, you’ll conform to the applicable industry regulations. 3. Achieving CIS continuous compliance can help you lower your exposure to cybersecurity risks . In the process, safeguard your vital data and systems. This aids in preventing data breaches, malware infections, and other cyberattacks. Such incidents could seriously harm your company’s operations, image, and financial situation. A great example is the Scottish Oil giant, SSE. It had to pay €10M in penalties for failing to comply with a CIS standard in 2013. 4. Abiding by the security measures set by CIS guidelines can help you achieve your goals faster as a business. The guidelines cover the most important and frequently attacked areas of IT infrastructure. 5. CIS compliance enhances your general security posture. It also decreases the time and resources needed to maintain security. It does this by providing uniform security procedures across various platforms. How to achieve CIS compliance? Your organization can achieve CIS compliance by conforming to the guidelines of the CIS benchmarks and CIS controls. Each CIS benchmark usually includes a description of a recommended configuration. It also usually contains a justification for the implementation of the configuration. Finally, it offers step-by-step instructions on how to carry out the recommendation manually. While the standards may seem easy to implement manually, they may consume your time and increase the chances of human errors. That is why most security teams prefer using tools to automate achieving and maintaining CIS compliance. CIS hardened images are great examples of CIS compliance automation tools. They are pre-configured images that contain all the necessary recommendations from CIS benchmarks. You can be assured of maintaining compliance by using these CIS hardened images in your cloud environment. You can also use CSPM tools to automate achieving and maintaining CIS compliance. Cloud Security Posture Management tools automatically scan for vulnerabilities in your cloud. They then offer detailed instructions on how to fix those issues effectively. This way, your administrators don’t have to go through the pain of doing manual compliance checks. You save time and effort by working with a CSPM tool. Use Prevasio to monitor CIS compliance. Prevasio is a cloud-native application platform (CNAPP) that can help you achieve and maintain CIS compliance in various setups, including Azure, AWS, and GCP. A CNAPP is basically a CSPM tool on steroids. It combines the features of CSPM, CIEM, IAM, and CWPP tools into one solution. This means you’ll get clearer visibility of your cloud environment from one platform. Prevasio constantly assesses your system against the latest version of CIS benchmarks. It then generates reports showing areas that need adjustments to keep your cloud security cyber threat-proof. This saves you time as you won’t have to do the compliance checks manually. Prevasio also has a robust set of features to help you comply with standards from other regulatory bodies. So using this CSPM tool, you’ll automatically comply with HIPAA, PCI DSS, and GDPR. Prevasio offers strong vulnerability evaluation and management capabilities besides CIS compliance monitoring. It uses cutting-edge scanning algorithms to find known flaws, incorrect setups, and other security problems in IT settings. This can help you identify and fix vulnerabilities before fraudsters can exploit them. The bottom line on CIS compliance Achieving and maintaining CIS compliance is essential in today’s continually changing threat landscape . However, doing the compliance checks manually takes time. You may not also spot weaknesses in your cloud security in time. This means that you need to automate your CIS compliance. And what better solution than a cloud security posture management tool like Prevasio? Prevasio is the ideal option for observing compliance and preventing malware that attack surfaces in cloud assets. Prevasio offers a robust security platform to help you achieve CIS compliance and maintain a secure IT environment. This platform is agentless, meaning it doesn’t run on the cloud like most of its competitors. So you save a lot in costs every time Prevasio runs a scan. Prevaiso also conducts layer analysis. It helps you spot the exact line of code where the problem is rather than give a general area. In the process, saving you time spent identifying and solving critical threats. Try Prevasio today! Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As cloud adoption and digital transformation increases, more sensitive data from applications is being stored in data containers. This is... Application Connectivity Management How to Make Container Security Threats More Containable Prof. Avishai Wool 2 min read Prof. Avishai Wool Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/8/22 Published As cloud adoption and digital transformation increases, more sensitive data from applications is being stored in data containers. This is why effective container security controls to securely manage application connectivity is an absolute must. AlgoSec CTO and Co-Founder, Prof. Avishai Wool provides some useful container security best practices to help you do just that. What is Container Security? Organizations, now more than ever, are adopting container technology. Instead of powering up servers and instances in the cloud, they are using containers to run business applications. Securing these is equally as important as securing other digital assets that the business is dependent on. There are two main pillars to think about: The code: you want to be able to scan the containers and make sure that they are running legitimate code without any vulnerabilities. The network: you need to control access to and from the container (what it can connect to), both inside the same cluster, other clusters, and different parts of the network. How critical is container security to managing application connectivity risks? To understand the role of container security within the overall view of network security, there are three points to consider. First, if you’re only concerned about securing the containers themselves, then you’re looking at nano-segmentation , which involves very granular controls inside the applications. Second, if you’re thinking about a slightly wider scope then you may be more concerned with microsegmentation , where you are segmenting between clusters or between servers in a single environment. Here you will want to enforce security controls that determine the allowable communication between specific endpoints at specific levels. Finally, if the communication needs to go further, from a container inside one cluster within one cloud environment to an asset that’s outside of the data center, then that might need to go through broader segmentation controls such as zoning technologies, security groups or a firewall at the border. So, there are all these layers where you can place network security policies. When you’re looking at a particular connectivity request (say for a new version of an application) from the point of view of a given container you should ask yourself: what is the container connected to? What is it communicating with? Where are those other sides of the connectivity placed? Based on that determination, you will then know which security controls you need to configure to allow that connectivity through the network. How does containerization correlate with application centric security policy management? There are a number of different aspects to the relationship between container security and application security. If an application uses containers to power up workloads then container security is very much an integral part of application security. When you’re adding new functionality to an application, powering up additional containers, asking containers to perform new tasks whereby they need to connect to additional assets, then the connectivity of those containers needs to be secured. And security controls need to be regulated or changed based on what the application needs them to do. Another factor in this relationship is the structure of the application. All the containers that run and support the application are often located in one cluster or a micro-segment of the network. So, much of the communication takes place inside that cluster, between one container or another, all in the same cluster. However, some of it can go to another cluster or somewhere that’s not even containerized. This is actually a good thing from an application point of view as the container structure can be used to understand the application structure as well. Not sure about container orchestration? Here’s what to know Container orchestration is part of a bigger orchestration play which is, in general, related to the concept of infrastructure as code. You want to be able to power up an environment with all the assets it requires, and have it function simultaneously so you can duplicate it. There are various orchestration technologies that can be used to deploy the security policies for containers , which is an excellent way to maintain container-based applications in a consistent and repeatable manner. Then if you need to double it or multiply it by 100, you can get cookie-cutter copies of the same thing. How will container security solutions play out in the future? Organizations today have the technology to enforce security controls at the container level, but these controls are very granular and it’s time-consuming to set policies and enforce them, particularly with issues like staff or skills shortages. Looking ahead, companies are likely to take a hierarchical view where container-based security is controlled at the application level by app owners or developers, and at the broader levels to ensure that the measures deployed throughout the network have the same degree of sophistication. Procedures and tooling are all evolving, so we don’t have a definitive answer as to how this will all end up. What are organizations going to be doing? Where will they place their controls? Who has the power to make the changes? When newer technologies are deployed, customer adoption will be crucial to understanding what makes the most sense. This will be interesting as there will be multiple scenarios to help companies master their security blueprint as we move forward. To learn how the use of containerization as a strategy can help reduce risk and drive application-centric security, check out this video . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can... Application Connectivity Management How AppSec Network Engineers Can Align Security with the Business Eric Jeffery 2 min read Eric Jeffery Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 7/13/22 Published Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can positively impact the business It may surprise many people but the number one skills gap hampering today’s application security network engineers is primarily centred around the soft skills which includes communication, writing, presentation, team building and critical thinking. Why is this so important? Because first and foremost, their goal is to manage the organization’s security posture by deploying the best application security tools and technologies for the specific security and growth needs of the business. Keep things safe but don’t get in the way of revenue generation What an application security network engineer should not do is get in the way of developing new business-critical or revenue generating applications. At the same time, they need to understand that they have a leadership role to play in steering a safe and profitable course for the business. Starting with an in depth understanding of all wired traffic, AppSec network engineers need to know what applications are running on the network, how they communicate, who they communicate with and how to secure the traffic and connectivity flow associated with each one of them. An AppSec network engineer’s expertise should extend much more than mastering simple applications such as FTP and SSH. Rather, business traffic continuity should sit at the pinnacle of their responsibilities. There’s a lot of revenue generating traffic that they need to understand and put the right guardrails to protect it. However, equally as important, they need to make sure that the traffic is not hindered by outdated or irrelevant rules and policies, to avoid any negative financial impact on the organization. Layers of expertise beyond the OSI model A good starting point for any AppSec network engineer is to acquire a commanding knowledge of the seven layers of the OSI model, especially Layer 6 which covers Presentation. In practical terms, this means that they should have a thorough understanding of the network and transport layers – knowing what traffic is going across the network and why. It’s also helpful to have basic scripting knowledge and an understanding of simple scripts such as a cron job for scheduling tasks. It could also be useful to know some basic level programming like Perl and PHP. Beyond the network skills, AppSec network engineers should grasp the business vertical in which they operate. Once they gain an understanding of the business DNA and the applications that make it tick, then they can add real value to their organizations. What’s on the network vs. what should be on the network Should AppSec network engineers be expected to understand business and applications? Absolutely. With this level of skill and knowledge, they can help the business progress securely by corelating what is actually in the network environment versus what should be in the environment. Once they have clear understanding, they can clean up then environment and optimize network performance with enhanced security. This becomes more critical as organizations grow and develop, often allowing too much unnecessary traffic into the environment. Typically, this is how the scenario plays out: Applications are added or removed (decommissioned), or a new vendor or solution is brought on board and the firewall turns into a de facto router. The end result of such often leads to new vulnerabilities and too many unnecessary threat vectors. This is precisely where the aforementioned soft skills come in – an AppSec network engineer should be able to call out practices that don’t align with business goals. It’s also incumbent upon organizations to offer soft skills training to help their AppSec network engineers become more valuable to their teams. Need an application view to be effective in securing the business When firewalls become de facto routers, organizations end up relying on other areas for security. However, security needs to be aligned with the applications to prevent cyber attacks from getting onto the network and then from moving laterally across the network, should they manage to bypass the firewalls. All too often, east-west security is inadequate and therefore, AppSec network engineers need to look at network segmentation and application segmentation as part of a holistic network security strategy. The good news is that there are some great new technologies that can help with segmenting an internal network. The lesser good news is that there’s a danger in the thinking that by bolting on new tools, the problem will be solved. So often these tools are only partially deployed before the team moves onto the next “latest and the greatest” solution. When exploring new technologies, AppSec network engineers must ask themselves the following: Is there a matching use case for each solution? Will procurement of another tool lead to securing the environment or will it just be another useless “flavor of the month” tool? Irregardless, once the new technology solution is acquired, it is imperative to align the right skilful people with this technology to enable the organization to intelligently secure the whole environment before moving onto a new tool. To further hone this point, celebrating the introduction of a new firewall is superfluous if at the end of the day, it does not utilize the right rules and policies. Ushering some of these new technologies without proper deployment will only leave gaping holes and give organizations a false sense of security, exposing them to continuous risks. Don’t put the cloud native cart before the horse The role of an AppSec network engineer becomes even more critical when moving to the cloud. It starts with asking probing questions: What are the applications in the business and why are we moving them to the cloud? Is it for scalability, speed of access or to update a legacy system? Will the business benefit from the investment and the potential performance impact? It’s also important to consider the architecture in the cloud: Is it containerized, public cloud, private cloud or hybrid? Once you get definitive answers to these questions, create reference architectures and get senior level buy-in. Finally, think about the order in which the enterprise migrates applications to the cloud and maybe start with some non-critical applications that only affect a small number of locations or people before risking moving critical revenue generating applications. Don’t put the cart before the horse. DevSecOps: We should be working together; you can be sure the criminals are… Network application security is complicated enough without introducing internal squabbles over resources or sacrificing security for speed. Security teams and development teams need to work together and focus on what is best for your business. Again, this where the soft skills like teamwork, communications and project management come into play. The bottom line is this: Understand bad actors and prepare for the worst. The bad guys are just chomping at the bit, waiting for your organizations to make the next mistake. To beat them, DevSecOps teams must leverage all the resources they have available. Future promise or false sense of security? There are some exciting new technologies to look forward to in the horizon to help secure the application environment. Areas like quantum computing, machine learning, AI and blockchain show great promise in outfoxing the cyber criminals in the healthcare and financial services industries. It is expected that the AppSec network engineer will play a vital role in the viability of these new technologies. Yet, the right technology will still need to be applied to the right use case correctly and then fully deployed to in order see any effective results. The takeaway So much of the role of the AppSec network engineer is about taking a cold hard look at the goals of the business and asking some challenging questions. It all starts with “what’s right for the business?” rather than “what’s the latest technology we can get our hands on?” To be an effective AppSec network engineer, individuals should not only know the corporate network inside out, but they also must have an overall grasp of applications and the applicable business cases they support. Furthermore, collaboration with developers and operations (DevOps) becomes an agent for rapid deployment of revenue generating or mission critical applications. But it still goes back to the soft skills. To protect the business from taking needless security risks and demand a seat at the decision-making table, AppSec network engineers need to apply strong leadership, project management and communications skills To learn more on the importance of AppSec network engineers to your organization’s cybersecurity team, watch the following video Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call